blob: 12961e7cfe1d452e8632f68e2d5a5f9fe588cc0d [file] [log] [blame]
Alex Deymod63084d2016-08-03 20:31:37 -07001# update_engine payload application permissions. These are shared between the
2# background daemon and the recovery tool to sideload an update.
3
4# Allow update_engine to reach block devices in /dev/block.
5allow update_engine_common block_device:dir search;
6
7# Allow read/write on system and boot partitions.
8allow update_engine_common boot_block_device:blk_file rw_file_perms;
9allow update_engine_common system_block_device:blk_file rw_file_perms;
Nick Kraleviche8446812018-10-23 11:57:54 -070010
11# Where ioctls are granted via standard allow rules to block devices,
Nick Kralevich7b5e82a2018-10-23 12:28:40 -070012# automatically allow common ioctls that are generally needed by
13# update_engine.
14allowxperm update_engine_common dev_type:blk_file ioctl {
15 BLKDISCARD
16 BLKDISCARDZEROES
17 BLKROGET
18 BLKROSET
19 BLKSECDISCARD
20 BLKZEROOUT
21};
Alex Deymod63084d2016-08-03 20:31:37 -070022
23# Allow to set recovery options in the BCB. Used to trigger factory reset when
24# the update to an older version (channel change) or incompatible version
25# requires it.
26allow update_engine_common misc_block_device:blk_file rw_file_perms;
27
Jeff Vander Stoepa12aad42017-07-10 20:39:50 -070028# read fstab
29allow update_engine_common rootfs:dir getattr;
30allow update_engine_common rootfs:file r_file_perms;
31
Alex Deymod63084d2016-08-03 20:31:37 -070032# Allow update_engine_common to mount on the /postinstall directory and reset the
33# labels on the mounted filesystem to postinstall_file.
Tianjie Xu8f687052017-06-23 15:48:42 -070034allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
Alex Deymod63084d2016-08-03 20:31:37 -070035allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
Alex Light16dfb432021-03-11 11:26:08 -080036allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
Alex Deymod63084d2016-08-03 20:31:37 -070037
38# Allow update_engine_common to read and execute postinstall_file.
39allow update_engine_common postinstall_file:file rx_file_perms;
40allow update_engine_common postinstall_file:lnk_file r_file_perms;
41allow update_engine_common postinstall_file:dir r_dir_perms;
42
Jeff Vander Stoep790f4c72017-07-09 16:43:55 -070043# install update.zip from cache
44r_dir_file(update_engine_common, cache_file)
Alex Deymod63084d2016-08-03 20:31:37 -070045
46# A postinstall program is typically a shell script (with a #!), so we allow
47# to execute those.
48allow update_engine_common shell_exec:file rx_file_perms;
49
50# Allow update_engine_common to suspend, resume and kill the postinstall program.
Alex Deymob74017d2017-03-22 21:01:08 -070051allow update_engine_common postinstall:process { signal sigstop sigkill };
Tri Vo04fb82f2017-10-04 10:34:11 -070052
Nick Kralevich9d9c3702017-11-20 11:02:03 -080053# access /proc/cmdline
Tri Vo04fb82f2017-10-04 10:34:11 -070054allow update_engine_common proc_cmdline:file r_file_perms;
Tri Vo04fb82f2017-10-04 10:34:11 -070055
56# Read files in /sys/firmware/devicetree/base/firmware/android/
57r_dir_file(update_engine_common, sysfs_dt_firmware_android)
Yifan Hong37427db2018-08-23 15:01:56 -070058
David Anderson483e70b2019-06-21 15:50:07 -070059# Needed because libdm reads sysfs to validate when a dm path is ready.
60r_dir_file(update_engine_common, sysfs_dm)
61
David Anderson5a0d5cc2021-04-07 21:51:33 -070062# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
63allow update_engine_common sysfs:dir r_dir_perms;
64allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
65
Yifan Hong37427db2018-08-23 15:01:56 -070066# read / write on /dev/device-mapper to map / unmap devices
67allow update_engine_common dm_device:chr_file rw_file_perms;
68
69# apply / verify updates on devices mapped via device mapper
70allow update_engine_common dm_device:blk_file rw_file_perms;
71
David Anderson09bb9442020-11-13 00:45:59 -080072# read /dev/dm-user, so that we can inotify wait for control devices to be
73# asynchronously created by ueventd.
74allow update_engine dm_user_device:dir r_dir_perms;
David Andersonb7bb3d02022-07-21 12:45:20 -070075allow update_engine dm_user_device:chr_file r_file_perms;
David Anderson09bb9442020-11-13 00:45:59 -080076
Yifan Hong37427db2018-08-23 15:01:56 -070077# read / write metadata on super device to resize partitions
Yifan Hongab85caa2019-03-22 13:55:13 -070078allow update_engine_common super_block_device_type:blk_file rw_file_perms;
Yifan Hong8d322232018-11-13 16:23:38 -080079
80# ioctl on super device to get block device alignment and alignment offset
Yifan Hongab85caa2019-03-22 13:55:13 -070081allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
Yifan Hong8d322232018-11-13 16:23:38 -080082
83# get physical block device to map logical partitions on device mapper
84allow update_engine_common block_device:dir r_dir_perms;
xunchang0ad3e4f2018-12-07 00:14:17 -080085
86# Allow update_engine_common to write to statsd socket.
87unix_socket_send(update_engine_common, statsdw, statsd)
Yifan Hong20010d12019-07-25 13:28:19 -070088
89# Allow to read Virtual A/B feature flags.
90get_prop(update_engine_common, virtual_ab_prop)
Yifan Hong07a99e12019-08-07 13:01:15 -070091
Yifan Hongcb23ab42020-09-21 20:04:00 -070092# Allow to read GKI related flags.
93get_prop(update_engine_common, ab_update_gki_prop)
Yifan Hong6bb5a762020-10-06 17:52:17 -070094get_prop(update_engine_common, build_bootimage_prop)
Yifan Hongcb23ab42020-09-21 20:04:00 -070095
Yifan Hong07a99e12019-08-07 13:01:15 -070096# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
Yifan Hongb34ede02020-03-02 18:19:15 -080097allow update_engine_common metadata_file:dir search;
Yifan Hong07a99e12019-08-07 13:01:15 -070098allow update_engine_common ota_metadata_file:dir rw_dir_perms;
99allow update_engine_common ota_metadata_file:file create_file_perms;